3

In the below option from AWS Certificate manager, I have an option to create subordinate CA but not root CA,

enter image description here

Goal is to first create root CA certificate and then create sub-ordinate CA that is signed(issued) by root CA's private key.

Documentation also talks about creating subordinate CA but not about root CA

Does AWS certification manager allow creating private root CA? if yes, How to create private root CA with AWS Certification manager?

overexchange
  • 15,768
  • 30
  • 152
  • 347

2 Answers2

4

This changed today. ACM Private CA now supports creating roots and subordinates.

https://forums.aws.amazon.com/ann.jspa?annID=6894

user11678035
  • 56
  • 1
1

To use AWS ACM Private Certificate Authority, you must already have an intermediate or root CA available in your organization. Once you create the subordinate CA, you will generate a CSR and sign it with your certificate. This service is a low-cost solution for managing the issuance and renewals of private certificates.

If your goal is to create a Root CA that the world will accept for SSL certificates, that is going to be a very difficult challenge. Very few companies qualify to be a Certificate Authority and this requires a big investment in infrastructure, security, policies, and procedures.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • We have a root CA within our organization. I have created intermediate CA. root CA is in my key store on MAC. How to sign a CSR with root CA? Do I need to just export root CA to a file(`.cer`) and then import at `Certificate chain` option? – overexchange Jun 20 '19 at 14:54
  • When you create the subordinate CA, you will next create a CSR. Then you will sign the CSR with your certificate. – John Hanley Jun 20 '19 at 15:04
  • Yes I created A CSR for subordinate CA, and then I need to import a file in `Certificate body` and then `Certificate chain` section. I am **stuck** here. From my side, I have `Entrust root CA` certificate in my key store(`.cer` file). What should I import in `Certificate body` and `Certificate chain`? – overexchange Jun 20 '19 at 15:07
  • I am not sure what you mean by import a file.What documentation are you following? This AWS documentation covers this in detail; https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html – John Hanley Jun 20 '19 at 15:19
  • Ah... it says... `Obtain a signed certificate from the parent of this certificate authority (CA). Submit the following certificate signing request (CSR) to the parent CA. Have the parent CA sign it and create a certificate. Click 'Next' when you have the signed certificate and are ready to import it. ` – overexchange Jun 20 '19 at 15:34
  • I don't know what infrastructure you have set up. You sign the CSR which creates another certificate. You import this new certificate (the output from signing). Please create a NEW question for further help providing specific details on what you have setup. – John Hanley Jun 20 '19 at 15:34